mirror of
https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git
synced 2025-12-25 14:10:08 +01:00
bonding: steer IGMP queries to the active bond balance-slb primary port
Add chains and rules to steer the IGMP reports to the primary member port. This rules are adapted from the script provided by Eric Garver. https://gitlab.com/egarver/virtual-networking/-/blob/master/mlag.sh Fixes:e9268e3924('firewall: add mlag firewall utils for multi chassis link aggregation (MLAG) for bonding-slb') (cherry picked from commitc691dd7ecf) (cherry picked from commitb9a733d00b)
This commit is contained in:
Fernando Fernandez Mancera
Íñigo Huguet
parent
0f9d0cd6a3
commit
35d326324b
2 changed files with 106 additions and 23 deletions
|
|
@ -844,6 +844,18 @@ nm_firewall_nft_stdio_mlag(gboolean up,
|
|||
chain_name,
|
||||
previous_member);
|
||||
_append(&strbuf, "delete chain netdev %s %s", table_name, chain_name);
|
||||
|
||||
chain_name =
|
||||
_strbuf_set_sanitized(&strbuf_1, "tx-redirect-igmp-reports-", previous_member);
|
||||
|
||||
_append(&strbuf,
|
||||
"add chain netdev %s %s {"
|
||||
" type filter hook egress device %s priority filter + 1; "
|
||||
"}",
|
||||
table_name,
|
||||
chain_name,
|
||||
previous_member);
|
||||
_append(&strbuf, "delete chain netdev %s %s", table_name, chain_name);
|
||||
}
|
||||
|
||||
/* OVS SLB rule 1
|
||||
|
|
@ -940,6 +952,57 @@ nm_firewall_nft_stdio_mlag(gboolean up,
|
|||
"add rule netdev %s rx-drop-looped-packets ether saddr @macset-untagged%s drop",
|
||||
table_name,
|
||||
s_counter);
|
||||
|
||||
/* IGMP SNOOPING
|
||||
*
|
||||
* This redirects all IGMP reports to the primary member port. The TOR switches
|
||||
* may prune the multicast tree. If we let the bonding vlan+srcmac hash occur,
|
||||
* then the TOR may send the pruned multicast stream to a bond member port for
|
||||
* which the RX filters will drop (e.g. report out non-primary, stream in
|
||||
* non-primary). If it's known multicast then we must control the pruned tree by
|
||||
* only sending the IGMP reports on a port for which we will accept the traffic,
|
||||
* i.e. the primary member port.
|
||||
*/
|
||||
for (i = 0; i < n_active_members; i++) {
|
||||
const char *active_member = active_members[i];
|
||||
const char *chain_name;
|
||||
|
||||
if (!_nft_ifname_valid(active_member))
|
||||
continue;
|
||||
|
||||
chain_name =
|
||||
_strbuf_set_sanitized(&strbuf_1, "tx-redirect-igmp-reports-", active_member);
|
||||
|
||||
_append(&strbuf,
|
||||
"add chain netdev %s %s {"
|
||||
" type filter hook egress device %s priority filter + 1; "
|
||||
"}",
|
||||
table_name,
|
||||
chain_name,
|
||||
active_member);
|
||||
/* first is primary, we clean up in case it was previously a non-primary member */
|
||||
if (i == 0) {
|
||||
_append(&strbuf, "delete chain netdev %s %s", table_name, chain_name);
|
||||
continue;
|
||||
}
|
||||
|
||||
_append(&strbuf,
|
||||
"add rule netdev %s %s igmp type {"
|
||||
" membership-report-v1, membership-report-v2, membership-report-v3 "
|
||||
"}%s fwd to %s",
|
||||
table_name,
|
||||
chain_name,
|
||||
s_counter,
|
||||
active_members[0]);
|
||||
_append(&strbuf,
|
||||
"add rule netdev %s %s icmpv6 type {"
|
||||
" mld-listener-report, mld2-listener-report "
|
||||
"}%s fwd to %s",
|
||||
table_name,
|
||||
chain_name,
|
||||
s_counter,
|
||||
active_members[0]);
|
||||
}
|
||||
}
|
||||
|
||||
out:
|
||||
|
|
|
|||
|
|
@ -2671,8 +2671,10 @@ test_nm_firewall_nft_stdio_mlag(void)
|
|||
"nm-mlag-bond0\012flush table netdev nm-mlag-bond0\012add chain netdev nm-mlag-bond0 "
|
||||
"rx-drop-bc-mc-eth2 { type filter hook ingress device eth2 priority filter; }\012delete "
|
||||
"chain netdev nm-mlag-bond0 rx-drop-bc-mc-eth2\012add chain netdev nm-mlag-bond0 "
|
||||
"rx-drop-bc-mc-eth1 { type filter hook ingress device eth1 priority filter; }\012delete "
|
||||
"chain netdev nm-mlag-bond0 rx-drop-bc-mc-eth1\012add set netdev nm-mlag-bond0 "
|
||||
"tx-redirect-igmp-reports-eth2 { type filter hook egress device eth2 priority filter + 1; "
|
||||
"}\012delete chain netdev nm-mlag-bond0 tx-redirect-igmp-reports-eth2\012add chain netdev "
|
||||
"nm-mlag-bond0 rx-drop-bc-mc-eth1 { type filter hook ingress device eth1 priority filter; "
|
||||
"}\012delete chain netdev nm-mlag-bond0 rx-drop-bc-mc-eth1\012add set netdev nm-mlag-bond0 "
|
||||
"macset-tagged { typeof ether saddr . vlan id; flags dynamic,timeout; }\012add set netdev "
|
||||
"nm-mlag-bond0 macset-untagged { typeof ether saddr; flags dynamic,timeout; }\012add chain "
|
||||
"netdev nm-mlag-bond0 tx-snoop-source-mac { type filter hook egress device bond0 priority "
|
||||
|
|
@ -2683,7 +2685,9 @@ test_nm_firewall_nft_stdio_mlag(void)
|
|||
"priority filter; }\012add rule netdev nm-mlag-bond0 rx-drop-looped-packets ether saddr . "
|
||||
"vlan id @macset-tagged counter drop\012add rule netdev nm-mlag-bond0 "
|
||||
"rx-drop-looped-packets ether type vlan counter return\012add rule netdev nm-mlag-bond0 "
|
||||
"rx-drop-looped-packets ether saddr @macset-untagged counter drop\012");
|
||||
"rx-drop-looped-packets ether saddr @macset-untagged counter drop\012add chain netdev "
|
||||
"nm-mlag-bond0 tx-redirect-igmp-reports-eth1 { type filter hook egress device eth1 priority "
|
||||
"filter + 1; }\012delete chain netdev nm-mlag-bond0 tx-redirect-igmp-reports-eth1\012");
|
||||
|
||||
_T(TRUE,
|
||||
"bond0",
|
||||
|
|
@ -2695,8 +2699,10 @@ test_nm_firewall_nft_stdio_mlag(void)
|
|||
"nm-mlag-bond0\012flush table netdev nm-mlag-bond0\012add chain netdev nm-mlag-bond0 "
|
||||
"rx-drop-bc-mc-eth2 { type filter hook ingress device eth2 priority filter; }\012delete "
|
||||
"chain netdev nm-mlag-bond0 rx-drop-bc-mc-eth2\012add chain netdev nm-mlag-bond0 "
|
||||
"rx-drop-bc-mc-eth1 { type filter hook ingress device eth1 priority filter; }\012delete "
|
||||
"chain netdev nm-mlag-bond0 rx-drop-bc-mc-eth1\012add set netdev nm-mlag-bond0 "
|
||||
"tx-redirect-igmp-reports-eth2 { type filter hook egress device eth2 priority filter + 1; "
|
||||
"}\012delete chain netdev nm-mlag-bond0 tx-redirect-igmp-reports-eth2\012add chain netdev "
|
||||
"nm-mlag-bond0 rx-drop-bc-mc-eth1 { type filter hook ingress device eth1 priority filter; "
|
||||
"}\012delete chain netdev nm-mlag-bond0 rx-drop-bc-mc-eth1\012add set netdev nm-mlag-bond0 "
|
||||
"macset-tagged { typeof ether saddr . vlan id; flags dynamic,timeout; }\012add set netdev "
|
||||
"nm-mlag-bond0 macset-untagged { typeof ether saddr; flags dynamic,timeout; }\012add chain "
|
||||
"netdev nm-mlag-bond0 tx-snoop-source-mac { type filter hook egress device bond0 priority "
|
||||
|
|
@ -2707,7 +2713,9 @@ test_nm_firewall_nft_stdio_mlag(void)
|
|||
"filter; }\012add rule netdev nm-mlag-bond0 rx-drop-looped-packets ether saddr . vlan id "
|
||||
"@macset-tagged drop\012add rule netdev nm-mlag-bond0 rx-drop-looped-packets ether type "
|
||||
"vlan return\012add rule netdev nm-mlag-bond0 rx-drop-looped-packets ether saddr "
|
||||
"@macset-untagged drop\012");
|
||||
"@macset-untagged drop\012add chain netdev nm-mlag-bond0 tx-redirect-igmp-reports-eth1 { "
|
||||
"type filter hook egress device eth1 priority filter + 1; }\012delete chain netdev "
|
||||
"nm-mlag-bond0 tx-redirect-igmp-reports-eth1\012");
|
||||
|
||||
_T(TRUE,
|
||||
"bond0",
|
||||
|
|
@ -2720,23 +2728,35 @@ test_nm_firewall_nft_stdio_mlag(void)
|
|||
"nm-mlag-bond0\012flush table netdev nm-mlag-bond0\012add chain netdev nm-mlag-bond0 "
|
||||
"rx-drop-bc-mc-eth4 { type filter hook ingress device eth4 priority filter; }\012delete "
|
||||
"chain netdev nm-mlag-bond0 rx-drop-bc-mc-eth4\012add chain netdev nm-mlag-bond0 "
|
||||
"rx-drop-bc-mc-eth5 { type filter hook ingress device eth5 priority filter; }\012delete "
|
||||
"chain netdev nm-mlag-bond0 rx-drop-bc-mc-eth5\012add chain netdev nm-mlag-bond0 "
|
||||
"rx-drop-bc-mc-eth2 { type filter hook ingress device eth2 priority filter; }\012delete "
|
||||
"chain netdev nm-mlag-bond0 rx-drop-bc-mc-eth2\012add chain netdev nm-mlag-bond0 "
|
||||
"rx-drop-bc-mc-eth3 { type filter hook ingress device eth3 priority filter; }\012add rule "
|
||||
"netdev nm-mlag-bond0 rx-drop-bc-mc-eth3 pkttype { broadcast, multicast } drop\012add set "
|
||||
"netdev nm-mlag-bond0 macset-tagged { typeof ether saddr . vlan id; flags dynamic,timeout; "
|
||||
"}\012add set netdev nm-mlag-bond0 macset-untagged { typeof ether saddr; flags "
|
||||
"dynamic,timeout; }\012add chain netdev nm-mlag-bond0 tx-snoop-source-mac { type filter "
|
||||
"hook egress device bond0 priority filter; }\012add rule netdev nm-mlag-bond0 "
|
||||
"tx-snoop-source-mac set update ether saddr . vlan id timeout 5s @macset-tagged "
|
||||
"return\012add rule netdev nm-mlag-bond0 tx-snoop-source-mac set update ether saddr timeout "
|
||||
"5s @macset-untagged\012add chain netdev nm-mlag-bond0 rx-drop-looped-packets { type filter "
|
||||
"hook ingress device bond0 priority filter; }\012add rule netdev nm-mlag-bond0 "
|
||||
"rx-drop-looped-packets ether saddr . vlan id @macset-tagged drop\012add rule netdev "
|
||||
"nm-mlag-bond0 rx-drop-looped-packets ether type vlan return\012add rule netdev "
|
||||
"nm-mlag-bond0 rx-drop-looped-packets ether saddr @macset-untagged drop\012");
|
||||
"tx-redirect-igmp-reports-eth4 { type filter hook egress device eth4 priority filter + 1; "
|
||||
"}\012delete chain netdev nm-mlag-bond0 tx-redirect-igmp-reports-eth4\012add chain netdev "
|
||||
"nm-mlag-bond0 rx-drop-bc-mc-eth5 { type filter hook ingress device eth5 priority filter; "
|
||||
"}\012delete chain netdev nm-mlag-bond0 rx-drop-bc-mc-eth5\012add chain netdev "
|
||||
"nm-mlag-bond0 tx-redirect-igmp-reports-eth5 { type filter hook egress device eth5 priority "
|
||||
"filter + 1; }\012delete chain netdev nm-mlag-bond0 tx-redirect-igmp-reports-eth5\012add "
|
||||
"chain netdev nm-mlag-bond0 rx-drop-bc-mc-eth2 { type filter hook ingress device eth2 "
|
||||
"priority filter; }\012delete chain netdev nm-mlag-bond0 rx-drop-bc-mc-eth2\012add chain "
|
||||
"netdev nm-mlag-bond0 rx-drop-bc-mc-eth3 { type filter hook ingress device eth3 priority "
|
||||
"filter; }\012add rule netdev nm-mlag-bond0 rx-drop-bc-mc-eth3 pkttype { broadcast, "
|
||||
"multicast } drop\012add set netdev nm-mlag-bond0 macset-tagged { typeof ether saddr . vlan "
|
||||
"id; flags dynamic,timeout; }\012add set netdev nm-mlag-bond0 macset-untagged { typeof "
|
||||
"ether saddr; flags dynamic,timeout; }\012add chain netdev nm-mlag-bond0 "
|
||||
"tx-snoop-source-mac { type filter hook egress device bond0 priority filter; }\012add rule "
|
||||
"netdev nm-mlag-bond0 tx-snoop-source-mac set update ether saddr . vlan id timeout 5s "
|
||||
"@macset-tagged return\012add rule netdev nm-mlag-bond0 tx-snoop-source-mac set update "
|
||||
"ether saddr timeout 5s @macset-untagged\012add chain netdev nm-mlag-bond0 "
|
||||
"rx-drop-looped-packets { type filter hook ingress device bond0 priority filter; }\012add "
|
||||
"rule netdev nm-mlag-bond0 rx-drop-looped-packets ether saddr . vlan id @macset-tagged "
|
||||
"drop\012add rule netdev nm-mlag-bond0 rx-drop-looped-packets ether type vlan return\012add "
|
||||
"rule netdev nm-mlag-bond0 rx-drop-looped-packets ether saddr @macset-untagged drop\012add "
|
||||
"chain netdev nm-mlag-bond0 tx-redirect-igmp-reports-eth2 { type filter hook egress device "
|
||||
"eth2 priority filter + 1; }\012delete chain netdev nm-mlag-bond0 "
|
||||
"tx-redirect-igmp-reports-eth2\012add chain netdev nm-mlag-bond0 "
|
||||
"tx-redirect-igmp-reports-eth3 { type filter hook egress device eth3 priority filter + 1; "
|
||||
"}\012add rule netdev nm-mlag-bond0 tx-redirect-igmp-reports-eth3 igmp type { "
|
||||
"membership-report-v1, membership-report-v2, membership-report-v3 } fwd to eth2\012add rule "
|
||||
"netdev nm-mlag-bond0 tx-redirect-igmp-reports-eth3 icmpv6 type { mld-listener-report, "
|
||||
"mld2-listener-report } fwd to eth2\012");
|
||||
|
||||
_T(FALSE,
|
||||
"bond0",
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue